Since June 2024, low Android smartphones made by Chinese companies have been pre-installed with trojanized software masquerading as WhatsApp and Telegram that have crypto cutter features.
The recent findings from Russian virus merchant Doctor Web indicate a significant increase where threat actors are directly of several Chinese manufacturers to preload brand fresh devices with malignant apps, despite the fact that it is not a new phenomenon.
Deceptive applications were immediately detected in the phone’s software, according to the company. The malicious code was added to WhatsApp message in this situation.
S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra are alleged to be low-end apps that resemble well-known advanced models from Samsung and Huawei. The SHOWJI model is used in at least four of the damaged designs.
Users are alleged to have been given the false impression that the phones are running Android 14 and had improved technology by using an app to parody the technical specifications displayed on the Around System page, as well as hardware and software information utilities like AIDA64 and CPU-Z.
The trojans, known as Shibai, can be injected into otherwise legitimate application using an open-source job called , which was used to create the malignant Android applications. About 40 various programs, including messages and QR code machines, are thought to have been modified in this way overall.
The program hijacks the game update process in the artifacts Doctor Web examined to find an Android document from a server run by the attacker and searches for strings in chat conversations that match Ethereum or Tron wallet address patterns. When discovered, they are swapped out for the enemy’s names to redirect transactions.
Doctor Web said that when an outgoing message is received, the compromised system displays the proper address of the victim’s personal finances while the recipient of the message is shown the proper address of the fraudsters ‘ budget.
” And when an incoming message is received, the sender sees the address of their own wallet,” according to the statement.” Instead, the victim’s device’s incoming address is replaced with the address of the hackers ‘ wallet.”
The malware has the ability to send device information, all WhatsApp messages, and .jpg ,.png, and .jpeg images from DCIM, Pictures, Alarms, Downloads, Documents, and Screenshots folders to the attacker’s server in addition to changing wallet addresses.
The purpose of this action is to search the stored images for mnemonic phrases that would enable the threat actors to encrypt the assets and gain unauthorized access to the victims ‘ wallets.
Although it’s unknown who is behind the campaign, it has been discovered that the attackers used more than 60 command-and-control ( C2 ) servers to manage the operation and used about 30 domains to distribute the malicious applications.
The threat actors ‘ nearly two dozen cryptocurrency wallets have received more than$ 1.6 million over the past two years, which indicates that the supply chain compromise has had a significant impact.
The development comes as a new Android malware family, known as Gorilla, is being developed by Swiss cybersecurity firm PRODAFT to gather user-data, including device models, phone numbers, Android versions, installed apps, SIM card details, main persistent access, and receive commands from a remote server.
It is primarily focused on SMS interception and persistent communication with its command-and-control ( C2 ) server, according to the company in an analysis. Gorilla does not yet employ obfuscation techniques, which suggests that it may still be in active development, unlike many advanced malware strains.
Android apps that embed the fakeApp that was propagated via the Google Play Store have been discovered in recent months using a DNS server to retrieve a configuration that contains a URL to be loaded.
These apps, which have since been removed from the market, impersonate well-known and well-known games and apps and are equipped with the ability to receive external commands that can launch unwanted websites or send phishing windows.